k8s-security-policies
Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security. Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards.
79
68%
Does it follow best practices?
Impact
95%
1.21xAverage score across 3 eval scenarios
Passed
No known issues
Optimize this skill with Tessl
npx tessl skill review --optimize ./tests/ext_conformance/artifacts/agents-wshobson/kubernetes-operations/skills/k8s-security-policies/SKILL.mdQuality
Discovery
100%Based on the skill's description, can an agent find and select it at the right time? Clear, specific descriptions lead to better discovery.
This is a well-crafted skill description that clearly identifies specific Kubernetes security resources (NetworkPolicy, PodSecurityPolicy, RBAC), uses natural trigger terms users would employ, and includes an explicit 'Use when' clause with multiple trigger scenarios. It occupies a clear niche at the intersection of Kubernetes and security, making it distinctive and unlikely to conflict with broader skills.
| Dimension | Reasoning | Score |
|---|---|---|
Specificity | Lists multiple specific concrete actions: 'Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC for production-grade security.' These are specific, named Kubernetes resources and concepts. | 3 / 3 |
Completeness | Clearly answers both what ('Implement Kubernetes security policies including NetworkPolicy, PodSecurityPolicy, and RBAC') and when ('Use when securing Kubernetes clusters, implementing network isolation, or enforcing pod security standards') with an explicit 'Use when' clause. | 3 / 3 |
Trigger Term Quality | Includes strong natural keywords users would say: 'Kubernetes', 'security policies', 'NetworkPolicy', 'PodSecurityPolicy', 'RBAC', 'network isolation', 'pod security standards', 'securing Kubernetes clusters'. Good coverage of both specific resource names and broader concepts. | 3 / 3 |
Distinctiveness Conflict Risk | Clearly scoped to Kubernetes security specifically, with distinct triggers like NetworkPolicy, PodSecurityPolicy, RBAC, and pod security standards. Unlikely to conflict with general Kubernetes skills or general security skills due to the specific intersection of both domains. | 3 / 3 |
Total | 12 / 12 Passed |
Implementation
37%Reviews the quality of instructions and guidance provided to agents. Good implementation is clear, handles edge cases, and produces reliable results.
This skill is a comprehensive reference catalog of Kubernetes security YAML manifests with strong actionability but poor token efficiency and workflow clarity. It reads more like documentation than an operational skill—there's no sequenced process for implementing security policies, no validation steps, and substantial content that Claude already knows (compliance framework bullet points, basic security best practices). The content would benefit greatly from being restructured into a concise workflow with references to detailed examples in separate files.
Suggestions
Add a clear sequenced workflow (e.g., '1. Apply default-deny NetworkPolicy → 2. Verify with kubectl describe → 3. Add allow rules → 4. Test connectivity → 5. Apply RBAC → 6. Verify with kubectl auth can-i') with explicit validation checkpoints between steps.
Consolidate the three nearly-identical Pod Security Standards examples into a single parameterized example showing the label pattern, with a brief note that the value can be 'privileged', 'baseline', or 'restricted'.
Move the compliance frameworks, Istio service mesh, and OPA Gatekeeper sections into separate referenced files to reduce the main skill to a focused overview with clear navigation.
Remove the 'Best Practices' bullet list and 'Purpose'/'When to Use' sections—these are generic knowledge Claude already has and consume tokens without adding actionable value.
| Dimension | Reasoning | Score |
|---|---|---|
Conciseness | The skill is extremely verbose at ~300 lines, with significant redundancy. The three Pod Security Standards examples are nearly identical (differing only in one label value). The compliance frameworks section lists generic security advice Claude already knows. The 'Best Practices' section is a list of general Kubernetes security truisms that add no novel instruction. The 'When to Use This Skill' and 'Purpose' sections are redundant with each other. | 1 / 3 |
Actionability | The skill provides fully executable, copy-paste-ready YAML manifests for every major concept: NetworkPolicy, RBAC roles/bindings, Pod security contexts, OPA Gatekeeper templates, and Istio policies. The troubleshooting section includes concrete kubectl commands. All examples are complete and directly applicable. | 3 / 3 |
Workflow Clarity | There is no sequenced workflow for implementing security policies. The content is a reference catalog of YAML snippets with no ordering, no validation checkpoints, and no feedback loops. For security-critical operations like applying NetworkPolicies or RBAC changes, there are no steps to verify policies are working correctly before proceeding. The troubleshooting section is an afterthought rather than integrated validation. | 1 / 3 |
Progressive Disclosure | The skill references external files (assets/network-policy-template.yaml, references/rbac-patterns.md) and related skills, which is good structure. However, no bundle files exist to back these references, and the main file is monolithic with large inline YAML blocks that could be split into referenced files. The compliance frameworks and Istio sections could easily be separate documents. | 2 / 3 |
Total | 7 / 12 Passed |
Validation
100%Checks the skill against the spec for correct structure and formatting. All validation checks must pass before discovery and implementation can be scored.
Validation — 11 / 11 Passed
Validation for skill structure
No warnings or errors.
- Repository
- Dicklesworthstone/pi_agent_rust
- Commit
b09ec7f
- Reviewed
Table of Contents
Is this your skill?
If you maintain this skill, you can claim it as your own. Once claimed, you can manage eval scenarios, bundle related skills, attach documentation or rules, and ensure cross-agent compatibility.